DATA PROTECTION
EU Court of Justice: a guardian who has ceased to hold office is an external third party, data controller, and must grant access at the request of the interested subject previously represented.
The clarification was given by the EU Court of Justice in its judgment in Case C 461/22.
The affair involved a German lawyer, who served for a time as a guardian for a person. The latter, at the end of the service rendered by the lawyer, initiated an action against the lawyer to obtain, pursuant to Article 15 of the GDPR, access to his personal data, collected by the lawyer himself during the performance of his duties. During the proceedings, the German judges had doubts about the qualification of the guardian, i.e. about the possibility of attributing him the role of "data controller", a necessary prerequisite for the request for access to data.
The EU Court's answer distinguishes the guardian in service (who is obviously a legal representative and not an external third party) from those who have performed the task in the past and have ceased.
The terminated guardian is no longer a representative of the client and is, therefore, a third party vis-à-vis a person previously followed. Furthermore, the administration provided by a professional is not an activity carried out for exclusively personal purposes (to which the GDPR does not apply) even if the professional is chosen – as in the case – from the circle of acquaintances of the represented person and carries out activities free of charge. On the basis of this reasoning, the CJEU clarified that a previous guardin who has performed his or her functions in a professional capacity in relation to a person he or she has assisted, must be qualified, pursuant to Article 4 of the GDPR, as a 'controller' of the personal data in his or her possession concerning that person, and is therefore required to comply with a request for access to data pursuant to Art. 15.
The affair involved a German lawyer, who served for a time as a guardian for a person. The latter, at the end of the service rendered by the lawyer, initiated an action against the lawyer to obtain, pursuant to Article 15 of the GDPR, access to his personal data, collected by the lawyer himself during the performance of his duties. During the proceedings, the German judges had doubts about the qualification of the guardian, i.e. about the possibility of attributing him the role of "data controller", a necessary prerequisite for the request for access to data.
The EU Court's answer distinguishes the guardian in service (who is obviously a legal representative and not an external third party) from those who have performed the task in the past and have ceased.
The terminated guardian is no longer a representative of the client and is, therefore, a third party vis-à-vis a person previously followed. Furthermore, the administration provided by a professional is not an activity carried out for exclusively personal purposes (to which the GDPR does not apply) even if the professional is chosen – as in the case – from the circle of acquaintances of the represented person and carries out activities free of charge. On the basis of this reasoning, the CJEU clarified that a previous guardin who has performed his or her functions in a professional capacity in relation to a person he or she has assisted, must be qualified, pursuant to Article 4 of the GDPR, as a 'controller' of the personal data in his or her possession concerning that person, and is therefore required to comply with a request for access to data pursuant to Art. 15.
